<html>
<head><meta charset="utf-8"><title>Hunting for malicious packages on PyPI · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Hunting.20for.20malicious.20packages.20on.20PyPI.html">Hunting for malicious packages on PyPI</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="216616671"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Hunting%20for%20malicious%20packages%20on%20PyPI/near/216616671" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Hunting.20for.20malicious.20packages.20on.20PyPI.html#216616671">(Nov 13 2020 at 14:19)</a>:</h4>
<p>Not Rust, but... fun article: <a href="https://jordan-wright.com/blog/post/2020-11-12-hunting-for-malicious-packages-on-pypi/">https://jordan-wright.com/blog/post/2020-11-12-hunting-for-malicious-packages-on-pypi/</a></p>



<a name="216619292"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Hunting%20for%20malicious%20packages%20on%20PyPI/near/216619292" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Hunting.20for.20malicious.20packages.20on.20PyPI.html#216619292">(Nov 13 2020 at 14:37)</a>:</h4>
<blockquote>
<p>I found malicious packages on npm using artisanal greping</p>
</blockquote>
<p><span aria-label="joy" class="emoji emoji-1f602" role="img" title="joy">:joy:</span></p>



<a name="216664462"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Hunting%20for%20malicious%20packages%20on%20PyPI/near/216664462" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Vytautas Astrauskas [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Hunting.20for.20malicious.20packages.20on.20PyPI.html#216664462">(Nov 13 2020 at 19:53)</a>:</h4>
<p><span class="user-mention silent" data-user-id="232545">Joshua Nelson</span> <a href="#narrow/stream/146229-wg-secure-code/topic/Hunting.20for.20malicious.20packages.20on.20PyPI/near/216619292">said</a>:</p>
<blockquote>
<blockquote>
<p>I found malicious packages on npm using artisanal greping</p>
</blockquote>
<p><span aria-label="joy" class="emoji emoji-1f602" role="img" title="joy">:joy:</span></p>
</blockquote>
<p>Just FYI: our <a href="https://github.com/rust-corpus/qrates/">Qrates</a> DB contains information about build scripts (what functions are called, etc.) in case someone is interested in checking them for “interesting” behaviour.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>